JSA Component Types
Each JSA appliance that is added to the deployment has configurable components that specify the way that the managed host behaves in JSA.
The JSA console provides the JSA product interface, real-time event and flow views, reports, offenses, asset information, and administrative functions. In distributed environments, the JSA console is used to manage the other components in the deployment.
The Event Collector collects events from local and remote log sources, and normalizes the raw event data so that it can be used by JSA. To conserve system resources, the Event Collector bundles identical events together and sends the data to the Event Processor.
The Event Processor processes events that are collected from one or more Event Collector components. If events are matched to the custom rules that are defined on the Console, the Event Processor follows the action that is defined in the rule response.
Each Event Processor has local storage. Event data is stored on the processor, or it can be stored on a Data Node.
JSA Flow Processor
JSA flow processor collects network flows from devices on your network. Live and recorded feeds are included, such as network taps, span ports, NetFlow, and JSA flow logs.
Log Manager doesn't support flow collection.
The Flow Processor processes flows from one or more JSA flow processor appliances. The Flow Processor appliance can also collect external network flows such as NetFlow, J-Flow, and sFlow directly from routers in your network.
Flow Processors include an on-board processor and internal storage for flow data.
The Data Node receives security events and flows from event and flow processors, and stores the data to disk.
The Data Node is always connected to either an Event Processor or a Flow Processor.
Off-site Source and Target Appliances
An off-site appliance is a JSA appliance that is not part of the deployment that is monitored by the JSA console.
An off-site source appliance forwards normalized data to an Event Collector. You can configure an off-site source to encrypt the data before forwarding.
An off-site target appliance receives normalized event or flow data from any Event Collector, or any processor in your deployment.
Later versions of JSA systems can receive data from earlier versions of JSA systems, but earlier versions can't receive data from later versions. To avoid problems, upgrade all receivers before you upgrade senders.